There are a few issues at play here:

1. The certconverter routine requires openssl which isn't installed in upstream images
2. certconverter also expects to write to /pulsar which is not writable by the pulsar (uid 10000) user on the upstream images
3. The TLS configuration for Zookeeper disables support for TLSv1.3 which is the default client cipher suite on the upstream images. This causes the pulsar-zookeeper-metadata job to fail to bootstrap the cluster.

These can be worked around by crafting a custom image with a Dockerfile like so:

FROM apachepulsar/pulsar:3.3.1

USER 0
RUN apk add --no-cache openssl
RUN chown pulsar:root -R /pulsar
USER 10000

And then setting these keys on the Zookeeper config:

      zookeeper:
        config:
          ssl.protocol: TLSv1.3
          ssl.quorum.protocol: TLSv1.3
          ssl.enabledProtocols: TLSv1.3,TLSv1.2

To fix these issues I propose doing the cert conversion in an initContainer using a minimal Java + OpenSSL image that will decouple the TLS support from the choice of Pulsar image. I don't know what the best course of action is for the Zookeeper TLS settings is.